How To Use SharePoint 2010 Secure Store As Single Sign-On Service

For SAP Applications Using ERPConnect

Jürgen Bäurle

April 2011

Parago Media GmbH & Co. KG

Introduction

The Secure Store Service in SharePoint 2010 replaces the Single Sign-on Shared Service of MOSS 2007 and provides
an easy way to map user credentials of external resources like SAP systems to Windows users. During the process of
developing SAP interfaces using the very handy ERPConnect library from Theobald Software you have to open a R3
connection with the SAP system using SAP account credentials (username and password).

In most cases you will use a so called technical user with limited access rights to execute or query objects in SAP, but
a SAP system saves a lot of sensitive data which cannot all be shown to all users. So, creating a new secure store in
SharePoint 2010 to save the SAP user credentials will be the solution. Accessing the secure store from program code
is quite simple.

A trail version of the ERPConnect library can be downloaded at www.theobald-software.com.

Secure Store Configuration

The Secure Store Service will be managed by the Central Administration (CA) of SharePoint 2010 under Application
Management > Manage service applications > Secure Store Service:

As the screenshot above shows is it possible to create multiple target applications within one Secure Store Service.

Clicking the New button will open the Create New Secure Store Target Application page. In this dialog you have to
enter the new Target Application ID, a display name, a contact email address and other application related details
(see screenshot below).
Next, the application fields must be defined:

It’s important to select the field type User Name and Password, because our implementation later on will check the
target application for those two field types.

In the last dialog step the application administrator must be defined. After defining the administrator and clicking the
Ok button SharePoint is creating a new secure store:
Next, the Windows users must be mapped to the SAP user credentails. Therefore mark the checkbox for the newly
created secure store SAPCredentialsStore and click the Set button in the toolbar. This opens the following dialog:

The Credential Owner is the Windows user for whom the SAP user credentials will be set. Enter the SAP username
and password and click the Ok button to save them.

That’s it !

Secure Store Programming

Accessing the secure store by code is simple. We implement a SecureStore class which will encapsulate all the access
logic. A second class called SecureStoreCredentials contains the retrieved user credentials returned by the method
GetCurrentCredentials of the SecureStore class.

But first, we need to create a Visual Studio 2010 SharePoint project and reference a couple of assemblies. You can
directly enter the file paths in the Reference dialog (Browse tab) to add the assemblies:

Microsoft.BusinessData.dll
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\ISAPI\Microsoft.BusinessData.dll

Microsoft.Office.SecureStoreService.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.Office.SecureStoreService\14.0.0.0__71e9bce111e9429c\Microsoft.
Office.SecureStoreService.dll

The following code shows the SecureStore class implementation:

internal class SecureStore

{
public string ApplicationId { get; private set; }

public SecureStore(string applicationId)

{
if(string.IsNullOrEmpty(applicationId))
throw new ArgumentNullException("applicationId");
if(!IsApplicationValid(applicationId))
 throw new ArgumentException(string.Format("Target application with ID '{0}' is not
defined.", applicationId));

ApplicationId = applicationId;
}

public SecureStoreCredentials GetCurrentCredentials()

{
SecureStoreProvider provider = new SecureStoreProvider { Context =
SPServiceContext.Current };
string userName = string.Empty;
string password = string.Empty;

using(SecureStoreCredentialCollection data = provider.GetCredentials(ApplicationId))

{
foreach(ISecureStoreCredential c in data)
{
if(c != null)
{
if(c.CredentialType == SecureStoreCredentialType.UserName)
userName = GetDecryptedCredentialString(c.Credential);
else if(c.CredentialType == SecureStoreCredentialType.Password)
password = GetDecryptedCredentialString(c.Credential);
}
}
}

if(string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
throw new SecureStoreException("Credentials for the current Windows user are not valid
or not defined.");

return new SecureStoreCredentials(userName, password);

}

public static bool IsApplicationValid(string applicationId)

{
if(string.IsNullOrEmpty(applicationId))
throw new ArgumentNullException("applicationId");

SecureStoreProvider provider = new SecureStoreProvider { Context =

SPServiceContext.Current };

foreach(TargetApplication application in provider.GetTargetApplications())

{
if(application.ApplicationId == applicationId)
{
ReadOnlyCollection<ITargetApplicationField> fields =
provider.GetTargetApplicationFields(applicationId);
bool existsUserNameDefinition = false;
bool existsPasswordDefinition = false;

foreach(TargetApplicationField field in fields)

{
if(field.CredentialType == SecureStoreCredentialType.UserName)
existsUserNameDefinition = true;
else if(field.CredentialType == SecureStoreCredentialType.Password)
existsPasswordDefinition = true;
}

if(existsUserNameDefinition && existsPasswordDefinition)

return true;
}
}

return false;
}

public static string GetDecryptedCredentialString(SecureString secureString)

{
IntPtr p = Marshal.SecureStringToBSTR(secureString);

try
{
return Marshal.PtrToStringUni(p);
}
finally
{
if(p != IntPtr.Zero)
 Marshal.FreeBSTR(p);
}
}
}

The constructor checks if an application ID is passed and if it’s valid by calling the static method IsApplicationValid.
In first place, the IsApplicationValid method is creating an instance of the SecureStoreProvider class to get access to
Secure Store Service. The SecureStoreProvider class provides all methods to talk to the SharePoint service. Then, the
method queries for all target applications and checks for the given application. If the application has been created
and can be found, the method will analyse the application field definitions. The IsApplicationValid method then
looks for two fields of type User Name and Password (see above).

The GetCurrentCredentials method is actually trying to get the SAP user credentials from the store. The method is
creating an instance of the SecureStoreProvider class to get access to service and then calls the GetCredentials
method of the provider class. If credentials are available the method decrypt the username and password from type
SecureString using the internal method GetDecryptedCredentialString. It then will wrap and return the data into an
instance of the SecureStoreCredentails class.

For more details of the implementation see the source code.

Accessing SAP Using The Secure Store Credentials

The sample and test code calls the SAP function module SD_RFC_CUSTOMER_GET to retrieve all customer data
that match certain criteria (where NAME1 starts with Te*):

The following code shows the implementation of the Test button click event:

protected void OnTestButtonClick(object sender, EventArgs e)

{
string licenseKey = "<LICENSEKEY>";
string connectionStringFormat = "CLIENT=800 LANG=EN USER={0} PASSWD={1} ASHOST=HAMLET ...";

R3Connection connection = null;

try
{
 LIC.SetLic(licenseKey);

...

SecureStoreCredentials credentials =
new SecureStore(ApplicationID.Text).GetCurrentCredentials();
string connectionstring =
string.Format(connectionStringFormat, credentials.UserName, credentials.Password);

connection = new R3Connection(connectionstring);

connection.Open();

RFCFunction function = connection.CreateFunction("SD_RFC_CUSTOMER_GET");

function.Exports["NAME1"].ParamValue = "Te*";
function.Execute();

ResultGrid.DataSource = function.Tables["CUSTOMER_T"].ToADOTable();
ResultGrid.DataBind();

OutputLabel.Text = string.Format("The test called...",

ApplicationID.Text, Web.CurrentUser.Name, Web.CurrentUser.LoginName,
credentials.UserName);
}
catch(Exception ex)
{
WriteErrorMessage(ex.Message);
}
finally
{
if(connection != null && connection.Ping())
connection.Close();
}
}

The interesting part is the retrieval of the SAP user credentials from the secure store defined in the text box named
ApplicationID. The application ID will be passed as parameter to the constructor of the SecureStore class. After
creating the instance the method GetCurrentCredentials will be called to ask the store for the credentials of the
current Windows user.

After the user credential query has been successfully executed the SAP connection string will be constructed. Then
the connection string will then be used to create an instance of the R3Connection class to connect with the SAP
system. The remaining code is just calling the function module SD_RFC_CUSTOMER_GET and binding the result
to the SPGridView.

That’s all.

Summary

This article has shown, how easy it can be to integrate Secure Store Services into your own SharePoint application
and keeping the security standards high while communicating with SAP.

Contact Information

If you have any feedback or suggestions, please feel free to contact me:

Jürgen Bäurle
jbaurle@parago.de
http://www.parago.de/jbaurle

Parago Media GmbH & Co. KG

Im Wengert 3 | 71336 Waiblingen, Germany | Phone +49.7146.861803 | Internet http://www.parago.de